My Blog Was Hacked & What You Can Learn From It

When I see the “Upgrade” notice in WordPress, I always wait a few weeks before I upgrade.

Why?

Because I want to give developers time to ensure their plugins are compatible with the newest version. Not to mention there are often bugs with the new release.

Well, let me just say I will be more diligent about doing updates in the future.

Last Thursday I came home and went to my blog’s homepage and noticed a strange-looking parse error. No content was loading at all and I couldn’t even login to the admin panel.

Craaaap!

I FTP’d into my server and noticed my theme’s function.php file had been modified three hours earlier. I knew something was up because I wasn’t even home at the time the file was changed.

So I called my host and their awesome support staffer (shout out to Robert!) was able to quickly verify that the site had been compromised.

He asked me if I had upgraded to the latest version of WordPress (3.5). I had, but there was a smaller security update (3.5.1) released on the same day that probably addressed the exploit which impacted my blog.

Fortunately, I had a backup of my original theme files. So I re-uploaded the Genesis Lifestyle Theme and that fixed the issue. Thankfully it only took a few seconds to restore everything.

That led me to think…

There are always tips floating around about backing up the WordPress database, but you should also have a backup of your actual theme folder (located in wp-content/themes on your server).

Remember, your theme files and database are stored in two separate locations.

Take-Home Lessons

1. Back up both your database and theme files. You can download your files manually through FTP or use a plugin like that backs up both. (See Online Backup for WordPress.)

If you want to learn how to manually upload/download WordPress folders and files using FTP, I have a tutorial on my static site.

2. If you’re re-uploading the original theme folder, don’t overwrite the style.css file because it may contain customizations you’ve made.

I was glad I remembered that on Thursday. That would have been a pain to make all those modifications again.

The same goes for your favicon file. If you’ve uploaded your own favicon, be careful not to overwrite it with the original theme favicon (if applicable).

3. Upgrade to the latest WordPress version as soon as you can. Like a lot of you, I would wait because of potential plugin incompatibility.

Not anymore. If I have to disable a few of them, so be it.

4. Contact your theme developer and let them know what happened in case there’s an exploit with your theme.

In my case, it was more than likely a security hole in v3.5 since it happened right before a new security patch launched.

How I Back Up My WordPress Sites

I used to use WP Database Backup which would email the file, but the database got so large, my mail server blocked it.

There is an option to store the backup on your server, but I don’t want a copy of my database just sitting on my hosting account. Too risky.

Now, I just manually download my database through my hosting control panel, and I also manually download the theme files via FTP.

Backing up your database manually is pretty easy. It may sound intimidating, but all you do is login to your hosting account and go to the “Database” area.

Most web hosts have phpMyAdmin installed…

If you use cPanel, just click the phpMyAdmin icon and it will take you to a screen that allows you to export your database.

Select the following options in the screenshot below, and a download of your entire database will begin.

Your screen may look a bit different depending on the version of phpMyAdmin you have. This is 3.5.5.

When it’s done, you will have an .SQL file on your computer. This is your complete WordPress database with your posts, pages, and comments.

Yes, you can use the WordPress Export feature in the Tools menu, but I like having the entire database structure.

And I know plugins are convenient as well, but I just feel more comfortable doing the backups manually because I can physically see that it’s being done correctly.

I’ve heard stories about people using plugins, only to realize (when it was too late) that the plugin wasn’t backing up correctly or completely.

When’s the last time you did a full backup of your site? Please share your routine.

Comments

thanks for the valueable sharing, I got hacked too, but just changed themes and that seemed to get rid of the compromised code. I was updated to the latest version too. 3.5.1 What I’m wondering is how often to backup.

thanks for the nice reminder . Perhaps everybody know about risk in online working but feel save upto the movement when not anymore. We should take backup of all our work which we did in past year so incase if something happened unusual so we can relay on it.

There’s a guide called BlogDefender that really helped me tighten up security on my blogs. In it, it recommends a plugin called Automatic Updater that… you guessed it… automatically updates WordPress to the latest version.

With WordPress being so popular, hacking will probably just get worse. My brother’s wordpress blogs have been hacked several times already this year.

Hey Lisa, Thanks for sharing your experience and Yes, Hacking is become common now days so we have to make sure that we have to make backup of our blog every time and I really like the way you tell us about how to make backup.

Its something that everybody really needs to be careful of. Whether its making sure your file permissions arent universally set to 777 , your site has the latest version of WP or else just is backed up regularly.

Like another post I awoke one morning to find a clients site with a bloodcurdling graphic ( some islamic stuff ) letting me know my site had been hacked.

Ok that’s very odd. But there are different breeds of hackers. Some are what they call “considerate hackers” who do it just to see if they can get in but they don’t want to harm you. I had one hacker email me and told me how to close an “exploit” I had on my blog. He said he was a fan and didn’t want to harm my site but just wanted to see if he could get in.

Yes that’s odd for sure. I was talking to him again and he said that it was a hacking mistake and that he did not mean to screw anything up. He says that’s why he gave me the password. I still don’t trust him though so I have to get it fixed. He offered to fix it. That’s very nice of the person to tell you about the exploit. Thanks for sharing Lisa!

Hi Lisa,
Been a long time lurker on your blog but decided to pitch in with my comment here 🙂 – One of the WP sites I was developing for a client recently got hacked simply because our developers hadn’t taken some basic precautions in securing the site. In most cases, this is quite easy with WordPress – our personal preference being Better WP Security or WordFence (not affiliated with either). Just goes to show that you always think it will never happen to you, but when it does, it can be a costly mistake!
Cheers,
Dee

No one likes there site to be hacked and I feel sorry for you and your site. Anyways, your post should serve as reminder that not all upgrades are good and that before upgrading something in your site, conduct a double-check first. It’s not bad to be cautious sometimes isn’t it? I like the screenshots. It makes things easy to understand. Thanks for sharing this informative and important post.

My site was also hack .. and i have a experience that ” Never Trust On Internet Friends ” .. Backup is very useful thing .. now a days i m taking back up almost daily .. Thanks LISA For This Post .. Thanks for sharing this.

Once upon a time i was really afraid about the hackers on my word press blog. i think, its a painful task to rescue the the content with images. that is why WP Database Backup from c panel is necessary. thanks for posting such an informative article . i really liked it and have to follow your techniques to protect the hackers. Thanks .

Wow. Have to admit, I started sweating just thinking about my site being compromised…!! I just opened up a WP plugin that will help me to download my precious database files in case anything crazy should happen.

I have been hacked many times with malware. WordPress sites are so vulnerable when the the themes and plugins become outdated the hackers learn the security flaws and exploit them. You have to constantly update your sites. I have 30 of them and it can be tough. I now use Sucuri to monitor my sites and fix any problems.

Thanks Lisa for sharing your experience with us. Many of us faced this type of problem sometime. I do agree that data backup is essential. Moreover I would like to take advantage of the technique you have provided for backup.

Thanks for the informative post!!
As hacking is a very serious problem protect your blog from the hackers. Must have complete back up
of all the posts. Use good plugins to protect your blog and also look from where you are getting visits and if some visits looks suspicious better look after it..Keep blogging

I am a great fan of yours and I saw all your videos from youtube about adsense and all that stuff! I am so happy that I stumbled into this site. It has helped me a lot from the view of things.
and I really like the post because I am starting to learn new ways. I’m so glad that you made this site. This is one
of the most important things for people to know.

Excellent article! I just got a new blog setup and I am definitely going to backup my theme and upgrade to wordpress 3.5.1. So sorry to hear you got hacked but glad that you were able to get everything restored.

Getting hacked is the worst! Ensuring a solid backup system and hard to crack passwords is a must in today’s world. Not just for your websites but also for you computers! Services like Carbonite are life savers. I nice WordPress trick my developer uses is to move the wp-admin to another location like site/wp-admin, or a custom/wp-admin. It can keep some of the bots away! The name of the game is reducing risk. If a good hacker wants in, they will get in, so ensure you are backed up and have as much protection as you can in place.

hacking websites has become very common today… Even the best software and safety strategy are unable to stop this.. What we actually need is caution on the part of the admins of the websites. Many a times we see that some server is hacked coz they didn’t change the default passwords or the admin infected the machine by carelessness. So an important aspect of prevention of hacking comes from the user.

I had someone crash my WP blot http://TheseAreGreat.com. I host it on GoDaddy. The first person I spoke to said I needed to pay them $150 because it was not backed up. The second person I spoke to said it did have a back up and they helped me get it up and running again. Interesting, right? Why do people do things like that? Crazy.

Hi Lisa, great tips! Thank you 🙂 I made quite the same experience couple of month ago. Unfortunately i had no backup… Now i know better. And i will never ever forget to upgrade. You made that clear 😉 Thanks a lot!!!

Several years ago one of my websites was hacked too, and the hacker manage to hijack some of the files and also deleted quite a few important ones. Due to that experience I learned to become more cautious when installing the website, especially database driven scripts like wordpress and joomla. For many people who are used to auto installation, there are a few things that could end your site in a hacker’s hands, I always make sure that the database prefix that I use is always some different from the default wp_ as it is very easy to guess hackers can inject your database if they are good enough to go through the security. Another thing is the name of your database, make sure they are alway alphanumeric and don’t use words but random alphabets and numbers. This makes it hard to guess and the hacker will have a hard time attacking your database tables.

Also make use of cloudflare or incapsula, they have helped me a lot in detecting bad bots and spammers usually it would be sufficient to keep the bad traffic away from your site as the service will detect any type of scanning or javascript injection. Alternatively you can also install plugins like wordfence or bulletproof security to stop any type of code injection.